Certified Information Security Manager (CISM) — Question 934

Which of the following defines the MOST comprehensive set of security requirements for a newly developed information system?

Answer options

• A. Baseline controls
• B. Audit findings
• C. Risk assessment results
• D. Key risk indicators (KRIs)

Correct answer: C

Explanation

The correct answer is C, as risk assessment results offer a thorough analysis of potential threats, vulnerabilities, and impacts, thereby establishing a comprehensive foundation for security requirements. Options A, B, and D provide useful information but do not encompass the full range of security needs for a newly developed system.